What it is
Server Message Block (SMB) is a Microsoft protocol used for file and printer sharing, remote procedure calls, and inter-process communication. Modern SMB versions operate over TCP port 445. Within Windows domains, SMB underpins resource sharing and authentication flows (NTLM/SMB sessions). Historically, SMB implementations have contained numerous critical vulnerabilities that enable remote code execution, worm propagation, and credential abuse.
Misconfigured SMB shares with weak permissions or legacy protocols (such as SMBv1) remain common. Attackers leverage these weaknesses to enumerate sensitive data, drop backdoors, spread ransomware, or harvest credentials.
Why it matters
High-impact incidents—including WannaCry and NotPetya—used SMB vulnerabilities to infect networks at scale. An exposed or unpatched SMB service can provide attackers with domain-wide reach, undermine data integrity, and leak confidential files. Weak or anonymous shares frequently violate compliance mandates and create audit findings.
How to reduce risk
- Disable SMBv1 and enforce modern protocol versions (SMBv2/3).
- Restrict SMB access to internal networks; block port 445 on perimeter firewalls.
- Harden share permissions using least privilege and granular access controls.
- Deploy endpoint protection and detection focused on lateral movement and credential dumping.
- Monitor SMB traffic for unusual file transfers, privilege escalations, or brute-force attempts.
- Keep Windows hosts patched and employ network segmentation to limit blast radius.